Bug 1459158 (CVE-2017-5664)

Summary: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alee, apmukher, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, darran.lofthouse, dedgar, dimitris, dmcphers, dmoppert, dm, dosoudil, fgavrilo, gvarsami, gzaronik, hhorak, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, jolee, jondruse, jorton, jshepherd, kbost, kconner, krzysztof.daniel, ldimaggi, lgao, loleary, mbabacek, mhatanak, mizdebsk, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, rwagner, spinder, tcunning, theute, tkirby, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 7.0.78, tomcat 8.0.44, tomcat 8.5.15 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:14:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1459160, 1459161, 1459162, 1459746, 1459747, 1459752, 1460573, 1460635, 1461291, 1461292, 1461631, 1463611    
Bug Blocks: 1446025, 1446026, 1459164, 1479475, 1482229, 1485997    

Description Adam Mariš 2017-06-06 12:36:48 UTC 
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15
Comment 1 Adam Mariš 2017-06-06 12:38:25 UTC 
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1459162]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1459161]
Affects: fedora-all [bug 1459160]
Comment 4 Daniel Murygin 2017-06-09 10:14:51 UTC 
Is Tomcat 6 affected by this bug? Tomcat 6 is still in the repository of RHEL 6. RHEL. Extended support for RHEL 6 ends in November 2020. Will there be a fix for Tomcat 6 in the RHEL 6 repository?
Comment 11 Timothy Walsh 2017-06-14 07:26:30 UTC 
Mitigation:

If it is necessary to have the DefaultServlet property readonly=false, use a jsp error page, for example Error404.jsp rather than a static html error page. Alternatively do not specify an error-page in the Deployment Descriptor and use a custom ErrorReportValve.
Comment 22 errata-xmlrpc 2017-07-25 16:46:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
Comment 23 errata-xmlrpc 2017-07-25 17:47:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
Comment 24 errata-xmlrpc 2017-07-27 06:11:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809
Comment 25 errata-xmlrpc 2017-08-21 15:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
Comment 26 errata-xmlrpc 2017-08-21 15:35:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493
Comment 27 errata-xmlrpc 2017-09-05 14:33:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633
Comment 28 errata-xmlrpc 2017-09-05 15:12:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636
Comment 29 errata-xmlrpc 2017-09-05 15:14:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637
Comment 30 errata-xmlrpc 2017-09-05 15:15:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635
Comment 31 errata-xmlrpc 2017-09-05 15:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638
Comment 32 errata-xmlrpc 2017-10-30 00:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
Comment 33 Doran Moppert 2017-10-30 00:41:41 UTC 
Statement:

This flaw can be triggered for static error pages only if the readonly property for the DefaultServlet is set to false in the $CATALINA_HOME/conf/web.xml file.  The default for readonly is true.